Behaviormetrics application system for electronic transaction authorization

ABSTRACT

This invention discloses a system wherein behaviormetrics are utilized to authenticate electronic transactions, either alone or in combination with other identifiers such as PIN&#39;s, passwords, codes and the like. Probability profiles or probability distribution representations may be constructed for determining whether a purported or alleged authorized user is in fact the authorized user, by comparing new data on a real-time basis against probability distribution representations including an authorized user probability distribution representation and a global or wide population probability distribution representation, to provide a probability as to whether the purported authorized user is the authorized user. This invention may utilize keypad, touch screen dynamics, X-Y dynamics, data, X-Y device data, or other data from similar measurable characteristics (such as movement filmed by an ATM machine), to determine the probability that the new data from the purported authorized user indicates or identifies that user as the authorized user.

CROSS REFERENCE TO RELATED APPLICATION

This application claims priority from the following applications: (1)U.S. provisional patent application No. 60/819,946, filed Jul. 11, 2006,confirmation number 9053, entitled “The Application of Behaviormetricsfor the Authorization of Electronic Transactions”, by inventors TimothyErickson Meehan, Richland, Wash., and Herbert Lewis Alward, Coeurd'Alene, Id. The above-referenced U.S. provisional patent application ishereby incorporated herein by this reference as though fully set forthherein, including specification and drawings.

TECHNICAL FIELD

This invention relates generally to behaviormetrics in providing abehaviormetric based unique signature of a user in authenticating a userinput in connection with a financial or other transaction when a user isemploying a system input device.

BACKGROUND OF THE INVENTION

Today most business transactions or part of the transaction is performedelectronically. A potentially vulnerable and complicated aspect ofprocessing and/or performing an electronic transaction is to identifythe user electronically as the authorized user. To authenticate theoriginator of an electronic transaction, many devices use inputterminals as authenticating user interfaces into a business system withone of the most common being a credit card transaction. To identify theuser at automated teller machines (ATM), the user typically employs atouch screen device to key in their personal identification number (PIN)in conjunction with a swipe card entered into the machine. In thismanner both the swipe card and the PIN work in conjunction toauthenticate the user at the terminal. These are just two of manyexamples of how authorizations may be accomplished to guarantee theauthenticity of the owner of the transaction.

A sufficiently high level of security has not been achieved despite thelong sought need and motivation to try. Credit cards, debit cards, andbank cards for instance, are still relatively vulnerable to theft, whichputs the owner vulnerable to financial theft. Further, when passwordsare used in conjunction with cards, other and additional vulnerabilitiesmay be introduced into the transactions, such as the poor choice of auser-defined password, stolen passwords, lost passwords or thesituations in which the user exposes the password to an unauthorizedparty. Handwritten signatures of the users are often used in creditcards transactions, but they are vulnerable to manual and electroniccopying.

The industry has long recognized the need to try to reduce the level ofrisk or vulnerability which is inherent in secondary devices such asbiometric devices: fingerprint and retinal scanners, etc, thus requiringthe user to authenticate via redundant and varied means. However, thesemethods tend to be onerous and intrusive to the user and non-adaptive toany changes in the biometric signature. These prior attempts teach awayfrom this invention.

A less intrusive and more adaptable means of recording an identifiablesignature of the user is to monitor or additionally monitor thebehaviormetrics of the user at the input terminal. Behaviormetrics mayfor example pertain to how the user interacts with the input terminal,or acts or reacts while being observed by a camera or photo image deviceat or near the input terminal. The observed behaviors that may beobserved and/or recorded may for example include the rhythm or timing oftyping or input entry, the pressure applied during input, the locationon the terminal where input is made, etc.

Behaviormetrics can be monitored and applied at any input terminalincluding keypads, mouse devices, touch screens, pen or stylus devices,etc. It is the statistical behavior of use that has been shown to beunique and identifiable for each user.

In an exemplary scenario in which an unauthorized party gains initialaccess under an authorized user's identity, the behaviormetrics of theunauthorized party exposes them as a different person. Prior art focusedon keystroke dynamics as the identifying behavior of the user but a hostof input devices are at the general disposal of lay users. A shortcomingof some of the prior art is that no adaptive mechanism has beenestablished for the changes in the keystroke behavior or changes in anybiometric pattern. The prior art also uses techniques to authenticatethe user that are computationally intensive on a large scale andtherefore are less scalable than this invention, especially as utilizedover such mediums as the world wide web or internet.

Many devices and systems use a keypad, keyboard or similar terminal as auser interface to access the device or system. Keyboard terminals aregenerally hardware devices or user interfaces that emulate typewriters,but they are also keypads on cellular telephones, portable devices suchas PDA's and touch screen devices, tablet computers, or other devicesthat use a touch screen for key entry. These types of devices with theuser interfaces may for example be a computer or electronic machine thatgenerally requires any type of input such as alphanumeric input, butkeyboards are not restricted to having alphanumeric keys.

At the keypad, ATM, or keyboard for example, statistical dynamics of thekeyboard typing/entry are unique to the user, with some dynamics moreunique or indicative of that user than others. Therefore, the dynamicsof the authorized user's use of the input device, provide a way ofidentifying a probability that the purported authorized user is in factthe authorized user. This dynamic use unique to or indicative of aparticular person may also be referred to as a statistical signature ofthe authorized user at the human device interface. The ongoing dynamicuse of the user interface such as the keypad, touch screen or X-Y deviceprovides real time, continuous data which may be utilized toauthenticate the user.

In either case, the attempted unauthorized access may be identified in areal time, continuous fashion, by embodiments of this invention. Priorart focused on the timing of the keystrokes as the identifying behaviorof the user.

Identifying and knowing the user of a card or other input in a financialtransaction is a very desirable aspect of financial transactions,especially remote financial transactions, for security and otherreasons. The financial transaction input device, keypad, ATM or other,may preferably accurately define the current user of said computer orsoftware application.

This invention provides for the authentication of a user via the inputbehavior of the authorized user, such as by keypad, touch screen,keyboard, or by the X-Y device movement or dynamics of the authorizeduser. Unlike other biometric devices, it is non-intrusive and adaptableto changes in the user's behavior. The keypad, touch screen, keyboarddynamics and/or X-Y device dynamics system provided by this invention isrelatively scalable through the use of probability distributionrepresentations, which in some examples or embodiments, may providescales relative to O(1) number of users in calculating the likelihoodthe user is the authorized user. Other implementations scale to n or n²number of users. Embodiments of this invention may also provide a meansto notify security sentries and execute programmed actions upon a breachin security based on the keyboard dynamics.

Embodiments of this invention provide for the authentication of a uservia the behaviormetrics behavior of the user at the input device as ameans of a signature to authorize electronic transactions. Unlike otherbiometric devices, embodiments of this invention may be non-intrusiveand adaptable to changes in the user's behavior. These embodiments ofthis invention also do not require any additional hardware, since thebehaviormetrics can be recorded on existing hardware interfaces. Unlikeother implementations of behaviormetrics embodiments of this inventionare scalable through the use of probability tables, which scale relativeto O(1) number of users in calculating the likelihood the user is thelegitimate user. Other implementations scale to n or n² number of users.This invention also provides a means to notify security sentries andexecutive programmed actions upon a breach in security based on thekeyboard dynamics.

An object of some embodiments of this invention is to provide a userauthentication or identification system using data related to mousedynamics to determine if it is probable that the data is indicative thatthe purported authorized user is actually the authorized user, based onthe chosen data characteristic (which in some aspects of the inventionmay be like a signature) for the authorized user.

Probability distribution representations may be used in embodiments ofthis invention to identify if the purported or alleged authorized useror participant in the financial transaction is in fact the authorizeduser. Calculation and/or algorithms may be utilized to calculate thelikelihood the alleged authorized user is the legitimate authorized userwho has been authorized to access the system, account or device. Theprobability distribution representations provide a fast, adaptable andscalable mechanism for discerning legitimate users from illegitimateusers. Embodiments of this invention may also provide a system toprovide security alerts to, or notify, sentries when the systemdetermines that it may be probable that the new or purported authorizeduser may not in fact be the authorized user. In some aspects of thisinvention, the security notification mechanism may provide a moreproactive notification and security system to better secure the systemto which it is being applied.

It is an object of some embodiments of this invention to provide asystem for determining which of a plurality of identifying data pointsprovide better identification of an authorized user, user group or classof users.

While the invention was motivated in addressing some objectives, it isin no way so limited. The invention is only limited by the accompanyingclaims as literally worded, without interpretative or other limitingreference to the specification, and in accordance with the doctrine ofequivalents.

Other objects, features, and advantages of this invention will appearfrom the specification, claims, and accompanying drawings which form apart hereof. In carrying out the objects of this invention, it is to beunderstood that its essential features are susceptible to change indesign and structural arrangement, with only one practical and preferredembodiment being illustrated in the accompanying drawings, as required.

BRIEF DESCRIPTION OF THE DRAWINGS

Preferred embodiments of the invention are described below withreference to the following accompanying drawings.

FIG. 1 is a perspective view of a user utilizing a typical automatedteller machine, utilizing a keypad;

FIG. 2 is a perspective view of a user utilizing an exemplary touchscreen;

FIG. 3 is a block diagram of an exemplary data processing apparatus;

FIG. 4 is a exemplary flowchart illustrating one embodiment of thisinvention, wherein a sequence of logical steps are shown which may beemployed to define and store the behaviormetrics to be recorded andstored for an input device;

FIG. 5 is an exemplary flowchart illustrating an embodiment of thisinvention, wherein the sequence of logical steps may be employed tomonitor and store the behaviormetrics of a user for a specified inputdevice;

FIGS. 6 & 7 are an exemplary flowchart illustrating an embodiment ofthis invention, wherein the sequence of logical steps employed toconfigure a system to compare a current user against an archived user,store the transactions, notify the proper sentries when a discrepancyoccurs and take corrective actions;

FIG. 8 is a graphic representation of one embodiment of a probabilitydistribution representation for keystroke timings of a user typingkeystrokes for the key combination of ABC;

FIG. 9 is a graphic representation of one embodiment of a probabilitydistribution representation for keystroke timings of a user typingkeystrokes for the key combination of BCD;

FIG. 10 is a graphic representation of one embodiment of a probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing keystrokes for the key combination of ABC;

FIG. 11 is a graphic representation of one embodiment of a probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing keystrokes for the key combination of BCD;

FIG. 12 is a graphic representation of one embodiment of a probabilitydistribution representation for a user typing the keystrokes ABCillustrated in FIG. 8, overlaid on the embodiment of the probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing keystrokes ABC illustrated in FIG. 10;

FIG. 13 is a graphic representation of one embodiment of a probabilitydistribution representation for a user typing the keystrokes BCDillustrated in FIG. 9, overlaid on the embodiment of the probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing keystrokes BCD illustrated in FIG. 11;

FIG. 14 is an example of a flowchart of an embodiment of this inventionillustrating one possible sequence for constructing a biased scoringsystem using a characteristic data of an authorized user; and

FIG. 15 is a schematic representation of an identifier or signature unitor packet, which may be utilized in embodiments of this invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The term “data” as used herein may be any individual or group of data,data points or items, from any one of a number of sources and may be anyone of a number of different types of data. Data for example may be asensed data or grouping of individual data points, or a measurement ofmost anything that can be measured, preferably related to behavior ordistinguishing characteristics. Some examples of data may includeinformation, parameters, keystroke dynamics, X-Y device dynamics,events, characteristics, facial movement, eye movement, facial profile,data points, groups of data points or characteristics, inputs, signals,etc.

When the term “accessing” is used in connection with accessing data oraccessing characteristics or accessing other items, it is not limited toaccessing data or information from outside the processor, but insteadwould include all such items accessed within the data processingapparatus or system, or from sources external to the processor.

It will also be appreciated by those of ordinary skill in the art thatdata may also be a grouping or combination of any of the foregoing. Asone example, data points from keystroke dynamics from a user typing keysand keyboard or key-based interface, the timing of keying of keystrokesor keystroke combinations, may be measured for example for a series ofkeystrokes such as typing the keys ABC or BCD.

In some aspects of this invention, data is obtained by takingmeasurements from an X-Y device, for example measuring the speed atwhich a user moves on a touch screen input device for a financialtransaction, or the location area where a user tends to remain at reston the X-Y device, or the trajectory which the user tends to follow inmoving a computer mouse (or the user's finger on a touchpad input deviceto electronic system, or on a tablet computer). Another example may bewherein data such as the pressure which a user asserts on a tabletcomputer user interface (e.g. a screen), which in some examples includessensing pressure on a scale of zero to fifty-six.

The phrase “probability distribution representation” may be a behavioralrecord which may, but need not be, related to frequency of an identifiedbehavior, component of behavior, measurement of behavior or other datapoint. It will be recognized by those of ordinary skill in the art thatthese tables may come in numerous shapes, forms, configurations, scalesand may include singular measurements, groupings of measurements,groupings of data, or any other individual data points or items, whichmay provide identifying information for comparison, or fordistinguishing a particular identified or authorized user. Examples ofprobability distribution representations may be probability tables,histograms, bar graphs, frequency records, event counts, profiles,records, lookup tables, probability lookup tables, behavioral profiles,bar graphs, distribution functions, or others, all within thecontemplation of this invention. There may be different ways to visuallyrepresent a probability distribution representation, such as more as abar chart, curve, smoothed curve, series of data points representedgraphically, a histogram or others, with no one in particular beingrequired to practice this invention. Known techniques may be utilized tocreate or smooth or alter the curve and/or data representation.

When the term “authentication” is used herein it may be broader than itstraditional definition in that it may refer at least in part toidentify, identification, authorizing, authenticating, labeling,associating, or fingerprinting the data to an identified or authorizeduser for any one of a number of different purposes. Examples of purposesfor which authentication is desired may be authenticating that theperson possessing a password and entering into an online account is theperson or authorized user whose profile is recorded and the person thatis authorized to enter that contract. For instance if keystroke dynamicsor keystroke data provides the measurable or ascertainable data, then acomparison of the users keystroke dynamics to the probabilitydistribution representations for that user in the global probabilitydistribution representations for that keystroke dynamic would becompared in order to verify a probability that the purported or allegedauthorized user is the identified user or authorized user.

When the term or phrase “authorized user” is used herein, it means notonly a single user, but may also include a class, group or demographicof users all within the meaning of the phrase “identified user”. Forexample, it may include persons within an accounting group at acorporation who have access to a computer or electronic system ornetwork; or it may include a group of people classified together becausethey are all left-handed, wherein this invention is not limited to anyone in particular.

The term “global” in relation to a probability distribution reference orreferences may also be referred to as a wide population reference, forwhich there is no particular number or quantity of data points blended,but which will depend upon the circumstances. In most if not all casesthe wide population data will include more than a sample of one sincethe one data point would be from the current purported authorized user.

Embodiments of this invention are methods and apparatus configured toreceive, which may in some examples mean a system is configured toreceive, collect, capture, sense or parse data, and then to process orutilize said data as further described herein.

Embodiments of this invention may provide a desired advantage of beingmore scalable than other systems, in that substantial or even massiveamounts of data, characteristics, information or other measurable inputdata may be incorporated into one or more probability distributionrepresentations or histograms to provide a single or a small number ofprobability distribution representations against which to compare thenew information with. This means that massive information such asgathered over the World Wide Web or Internet may be distilled into oneor relatively few probability distribution representations against whichthe data can be quickly compared to determine if it is more probablethan not that the purported authorized user, is in fact the authorizeduser. The system designer adapting embodiments of this invention to agiven application will have many options in determining what type ofprobability distribution representation to construct, the data to bestdistinguish the distinguishing characteristic, and further in definingthe universe of data that may be combined to comprise the probabilitydistribution representation, to optimize the ability to distinguish auser, or to authenticate the authorized user.

Embodiments of this invention may but need not necessarily include anadaptive, scalable method to acquire a behavioral signature for a userof a system who utilizes a keyboard. These embodiments of this inventionmay for instance accomplish this by tracking a pattern of keyboarddynamics made by the user. This keyboard dynamic pattern becomes asignature for the user and can be used to determine if the user at thekeyboard is the same user registered as the current user via otherelectronic means such as a password or smart card, etc. The systemdefines the means to record the pattern, track the users at the keyboardterminal and notify proper authorities when the user at the keyboard isdetermined to be different than the user who is registered as the activeuser at the keyboard.

As fingerprints identify individual people, so does certain keyboarddynamic or other data identify an individual. Keyboard devices mayrender an identifiable signature related to the typing of the keys. Thisdata or characteristics of use may be used in similar fashion, such asutilizing the pattern with which the user interfaces with or used thekeyboard or parts thereof. This may in one example consist of measuringthe hold time of keys and/or the timing of the keystrokes. The patternof certain keystrokes may be sufficiently individualistic or unique toeach individual due to any one of a number of different factors, such asfor example the relationship between the timing of keystrokes betweenkeys and to the length of their arms, fingers, size of arm and fingerstrength, as well as familiarity with the keyboard. For another example,users may have different timing between keys “a” and “x” on a StandardEnglish keyboard. The set of the differences between the keys may yielda set of keystroke relationships for determining the probability that aparticular user is at a keyboard. The pattern of timing between the keysmay then become a unique identifier or signature of sorts, of the user.

Embodiments of the present invention may define an adaptive, scalablemethod to acquire a behavioral signature by recording thebehaviormetrics defined for an input device of a system that performselectronic transactions. This behaviormetric pattern alone or incombination with other indicators, become a signature for the user toauthorize electronic transactions or prevent unauthorized transactions.This invention defines the means to record the behaviormetrics, recordand compare the user behavior metrics at the input terminal and notifyproper authorities when the user at the input terminal is determined tobe different than the authorized user.

Embodiments of this invention may therefore include the establishment ofmeasurements and places probability profiles on the behaviormetrics ofany chosen n-gram measurement. The measurements may pertain to and arenot restricted to the hold time of a keystroke, the timing betweenkeystrokes, or the total time to produce an n-gram measurement ofkeystrokes. The n-gram measurement can be a single key, two keys to nkeys to acquire the measurement. For example, a trigraph would capturesets of three keys to determine the measurement.

It will also be noted that a behaviormetric for a given user of anelectronic transaction system may include without limitation, recordablemovements of the purported authorized user as monitored by a camera atan ATM location for example, as well as the behaviormetrics of thepurported authorized user interacting with or operating the electronictransaction input device, all within the contemplation of thisinvention.

To establish the probability profile of a user, the system captures thekeyboard events and the frequency of the keyboard events produced by theuser and stores the results. Table 1 illustrates an example event tablefor a trigraph. The system stores the three successive keys as a timingevent in milliseconds and the corresponding frequency of occurrence.These measurements then yield a user profile. TABLE 1 Trigraph usertiming events of keystroke collections. User A Trigraph Time(milliseconds) ABC 0 100 101 102 . . . 450 . . . 5000 frequency 0 4 0 2. . . 50 . . . 0 BCD 0 100 101 102 . . . 320 . . . 5000 frequency 0 2 15 . . . 35 . . . 0

Once the system sufficiently captures the user profile, the systemcalculates the user probability distribution representation by applyinga general kernel function, K_(h)(x), which smoothes the measured datainto a density estimator, given by:

K_(h)(x)=1/h K(x/h),

where h=bandwidth and

K=Uniform, Triangle, Quartic, Gaussian, Cosinus, or etc. kernelfunction.

The parameter, h, determines the smoothness of the estimation. When h→0,the kernel estimation is less smooth, and when h→∞, the kernelestimation is very smooth. The kernel function, K, can be any kernelestimation function where the ∫ K(x)dx=1. Table 2 illustrates thecalculation of the likelihood for each keyboard event. Once trained fora user, when a keyboard event occurs, the system returns the likelihoodvalue for that user. TABLE 2 User Probability DistributionRepresentation. User A Tri- graph Time (milliseconds) ABC 0 100 101 102. . . 450 . . . 5000 Like- 0.00 0.02 0.01 0.01 . . . 0.26 . . . 0.00lihood BCD 0.00 100 101 102 . . . 320 . . . 5000 Like- 0.00 0.01 0.010.02 . . . 0.20 . . . 0.00 lihood

To make the probability distribution representation more adaptive, moreparameters and training can be tied to the probability distributionrepresentation, such as time of day or type of application. The size ofthe user probability needs only to be as large as the typing key spacefor the user. In the case of username/password typing behavior where nofurther authentication is considered, then the user probabilitydistribution representation needs to contain only the n-grammeasurements for the user's username/password set. In the case ofcontinuous authentication of the user, then the user probabilitydistribution representation needs to contain the entire set of possiblen-gram measurements.

To establish the probability profile for an impostor, the systemestablishes a global probability distribution representation whichstores the probability profile of the other users to determine theprobability the typist is an impostor and not the alleged user. As donefor the user probability distribution representation, the systemcaptures the user's keyboard dynamics and stores the timing andfrequency of events. The results are smoothed using a general kernelfunction to establish a kernel density estimator. The estimatorcalculates the likelihood that the typist belongs in the global set ofusers versus the user profile. As in Tables 1 and 2, similar tables areconstructed for the global probability distribution representation asillustrated in Tables 3 and 4. TABLE 3 Trigraph user timing events ofkeystroke collections for the global set of users. Global Trigraph Time(milliseconds) ABC 0 100 101 102 . . . 400 . . . 5000 frequency 0 10001200 900 . . . 15000 . . . 10 BCD 0 100 101 102 . . . 380 . . . 5000frequency 0 700 400 1300 . . . 12000 . . . 17

TABLE 4 Global - Wide Population Probability DistributionRepresentation. Global Tri- graph Time (milliseconds) ABC 0 100 101 102. . . 400 . . . 5000 Like- 0.00 0.05 0.06 0.05 . . . 0.21 . . . 0.00lihood BCD 0.00 100 101 102 . . . 380 . . . 5000 Like- 0.00 0.04 0.010.06 . . . 0.18 . . . 0.00 lihood

With both the user probability distribution representation and theglobal probability distribution representation, the system applies BayesRule to determine a posterior probability the observed user is thealleged user. The posterior probability that the observed user is thealleged user, P(A|O), is given by:

P(A|O)=P(A)*L/((P(A)*L)+1−P(A)),

where P(A) is the prior probability the user is the alleged user and

L is the likelihood ratio.

The likelihood ratio is given by P(O|A)/P(O|I), where P(O|A) is theprobability the alleged user produced the observations and P(O|I) is theprobability an impostor produced the observations. Based on thethreshold set for the value of P(A|O), the system logs out the user ornotifies a security sentry of a potential breach in security.

Determining the user signature via keyboard dynamics provides a meansfor establishing a system to monitor the identity of users throughout anetwork of electronic devices in real time. The system to monitor useridentities stores the user keyboard dynamics patterns and compares thestored user keyboard dynamics with the registered user purported to beusing the keyboard, thereby providing a probability the purported useris the authorized user. The sentries of the identities establish thelower limit of the probability they find acceptable for each user. Oncethe probability of an identity falls below this limit, the systemnotifies the sentries and executes any pre-defined actions that it canmachine execute through automated scripts or software applications.

A means to identify a user is to track the user behavior of the X-Ydevice they are using, in this example what is commonly referred to as acomputer mouse, or referred to as a mouse. A mouse for a computer is aninput device that translates the position of a tracking ball to theposition of the pointer on the computer display screen. A mouse may usea tracking ball or a light based location tracking mechanism, but otherkinds of a mouse exist as touch pads, touch screens, pens, stylus,joysticks or such a device that yields an x,y or x,y,z coordinate on anelectronic display screen. How the mouse is used and its placement isuser specific due to the user's length of fingers, hands, arms and bodyposition when using a mouse. When mouse activity occurs a user can beidentified by comparing the current mouse activity to a stored mouseactivity pattern associated with the user. This means of identifying theuser then provides a real time signature of a user, thus allowing realtime user identification at a computer workstation or softwareapplication.

Embodiments of this invention define a system which senses data for, orcharacteristics of, a user of a system, generally from that user'scharacteristic use of an input device or a user interface, such as anX-Y device (a mouse, touchpad, etc.) by tracking data or characteristicsof the pattern of mouse dynamics made by the user. This mouse dynamicpattern may become like an identifying signature for the user and can beused to determine if there is a discrepancy between the purported userand the active user mouse dynamics. The system defines the means torecord the mouse dynamics pattern, identify the active users using themouse, and notify proper authorities when the mouse dynamics aredetermined to be different than the user who is registered as the activeuser.

The patterns of mouse dynamics created by a user are unique to the userdue to the user's length of fingers, hand size, length of arm andposition of the mouse. The method measures the pattern by recording thecurser and mouse positions, the general resting positions of the cursorand the timing of the mouse movements and clicks. This unique pattern ofmouse behavior becomes an identifiable signature for the user.

Determining the user signature via mouse dynamics provides a means forestablishing a system to monitor the identity of users throughout anetwork of electronic devices in real time. The system to monitor useridentities stores the user mouse dynamics patterns and compares thestored user mouse dynamics with the registered user purported to beusing the mouse, thereby providing a probability the purported user isthe authorized or identified user. The sentries of the identitiesestablish the lower limit of the probability they find acceptable foreach user. Once the probability of an identity falls below this limit,the system notifies the sentries and executes any pre-defined actionsthat it can machine execute through automated scripts or softwareapplications.

To establish the probability profiles, n-gram measurements are made onthe mouse dynamics. Table 5 is an exemplary n-gram table of measurementsfor recording the x,y resting position of the mouse, where (0,0) isconsidered to be the upper left corner of the terminal screen. The x,yvalues can represent the pixel value or any divided section of theterminal screen. Table 6 uses the measurement of speed along a chosentrajectory to record the unique mouse behaviormetrics, data orcharacteristics of the user. TABLE 5 Recording the resting positions anddurations of an X-Y Device Such as a touch screen, a signature screenwith a modulus, or a mouse. User A Resting position (0, 0) Time 0 10 1112 . . . 450 . . . 3600 (seconds) frequency 0 100 140 120 . . . 4 . . .6 (200, 200) 0 10 101 102 . . . 320 . . . 3600 Time (seconds) frequency0 200 250 180 . . . 20 . . . 2

TABLE 6 Recording the speed of the X-Y device movement acrosstrajectories. User A Trajectory Vector (0, 1) Speed 0 200 300 400 . . .1000 . . . 2000 (pixels/second) frequency 0 0 1 2 47 80 (1, 1) Speed 0200 300 400 . . . 1000 . . . 2000 (pixels/second) frequency 0 0 0 0 36175

Once the system sufficiently captures the user profile, the systemcalculates the user probability distribution representation by applyinga general kernel function, K_(h)(x), which smoothes the measured datainto a density estimator, given by:

K_(h)(x)=1/h K(x/h),

where h=bandwidth and

K=Uniform, Triangle, Quartic, Gaussian, Cosinus, or etc. kernelfunction.

The parameter, h, determines the smoothness of the estimation. When h→0,the kernel estimation is less smooth, and when h→∞, the kernelestimation is very smooth. Once trained for a user, the system returnsthe likelihood value for that user. Table 7 illustrates the calculationof the likelihood for each mouse resting position event. TABLE 7 UserProbability Distribution Representation. User A Resting position (0, 0)Time 0 10 11 12 . . . 450 . . . 3600 (seconds) Likelihood 0 0.10 0.110.09 . . . 0.01 . . . 0.01 (200, 200) 0 10 101 102 . . . 320 . . . 3600Time (seconds) Likelihood 0 0.20 0.22 0.19 . . . 0.01 . . . 0.0

To make the probability distribution representation more adaptive, moreparameters and training can be tied to the probability distributionrepresentation, such as time of day or type of application. The size ofthe user probability needs only to be as large as the mouse action spacefor the user. In the case of continuous authentication of the user, thenthe user probability distribution representation needs to contain theentire set of possible n-gram measurements.

To establish the probability profile for an impostor or purportedauthorized user, embodiments of the invention may establish a globalprobability distribution representation which stores the probabilityprofile of the other users to determine a probability that the purportedauthorized user is an impostor and not the authorized or alleged user.As done for the user probability distribution representation, the systemcaptures the user's mouse dynamics and stores the timing and frequencyof events. The results, if in curve format, may but need not be,smoothed using a general kernel function to establish a kernel densityestimator. The estimator calculates the likelihood that the typistbelongs in the global set of users versus the user profile. As in Tables5, 6 and 7, similar tables are constructed for the global probabilitydistribution representation as illustrated in Tables 9 and 4. TABLE 8Global record of resting positions and times of mouse. Global Restingposition (0, 0) Time 0 10 11 12 . . . 450 . . . 3600 (seconds) frequency0 100 140 120 . . . 4 . . . 6 (200, 200) 0 10 101 102 . . . 320 . . .3600 Time (seconds) frequency 0 200 250 180 . . . 20 . . . 2

TABLE 9 Global Probability Distribution Representation for the restingpositions and times of mouse. Global Resting position (0, 0) Time 0 1011 12 . . . 450 . . . 3600 (seconds) frequency 0 0.06 0.09 0.09 . . .0.15 . . . 0.01 (200, 200) 0 10 101 102 . . . 320 . . . 3600 Time(seconds) frequency 0 0.10 0.08 0.07 . . . 0.18 . . . 0.0

With both the user probability distribution representation and theglobal probability distribution representation, the system may apply aformula, rule or algorithm for example, to determine whether it isprobable that the purported authorized user is in fact the authorizeduser. In this example or embodiment, the comparison may be made byapplying Bayes Rule to determine a posterior probability the observeduser is the alleged user. It will be appreciated by those of ordinaryskill in the art that Bayes Rule is one of numerous ways to determine aprobability here, with no one in particular being required to practicethis invention.

The posterior probability that the observed user is the alleged user,P(A|O), is given by:

P(A|O)=P(A)*L/((P(A)*L)+1−P(A)),

where P(A) is the prior probability the user is the alleged user and

L is the likelihood ratio or probability ratio.

The likelihood ratio or probability ratio is given by P(O|A)/P(O|I),where P(O|A) is the probability the alleged user produced theobservations and P(O|I) is the probability an impostor produced theobservations. Based on the threshold set for the value of P(A|O), thesystem may log out the user or notify a security sentry of a potentialbreach in security.

Determining the user signature via mouse dynamics provides a means forestablishing a system to monitor the identity of users continuouslythroughout a network of electronic devices in real time. The system tomonitor user identities stores the user mouse dynamics patterns andcompares the stored user mouse dynamics with the registered userpurported to be using the mouse, thereby providing a probability thepurported user is the identified user. The sentries of the identitiesestablish the lower limit of the probability they find acceptable foreach user. Once the probability of an identity falls below this limit,the system notifies the sentries and executes any pre-defined actionsthat it can machine execute through automated scripts or softwareapplications.

The present invention may use mouse dynamics to provide an alternativeor additional factor of authentication for the user. Probabilitydistribution representations may be constructed to determine aprobability or a likelihood that a user is a legitimate user for adevice or system (e.g. an individual account within the system).Embodiments of this invention may provide a system which notifiessecurity sentries and/or others, when a new user is entering the system;and may train the probability distribution representations for the newuser and to notify security sentries when an illegitimate user is usingan authorized user's account or device.

Embodiments of this invention provide a method to identify users usingbehaviormetrics for the purpose of authorizing electronic transactions.The invention supplies an additional factor of authentication withoutadditional hardware or intrusive means. The user behaviormetricsignature becomes the user's signature for authorizing transactions.This invention uses probability tables to produce a faster more scalableimplementation of determining if a user at an input device at atransaction terminal is the legitimate user. This invention alsoprovides a system that notifies security alerts to sentries andconfigured executable actions to rejected authorization events.

Embodiments of the present invention may use behaviormetrics toauthenticate electronic transactions. Probability profiles may beconstructed to provide the user signature to authenticate transactions.Embodiments of this invention may also supply a system by which tonotify security sentries when the likelihood the active user is not thealleged user to prevent unauthorized transactions and execute actionsrelated to unauthorized transactions.

Embodiments of this invention may define a method and a system forestablishing user identity by way of behaviormetrics for the purpose ofauthorizing electronic transactions. Embodiments of the system maynotify security sentries when a discrepancy occurs between the activeuser and the archived user. From this information the transaction can beallowed or rejected or require further identification from the user

FIG. 1 is a perspective view of a user utilizing a typical automatedteller machine 100, an electronic transaction input device, utilizing akeypad, illustrating user's hand 103, keypad keys 101, auxiliary keys102, screen 104, which may be an X-Y device such as a touch screen 104.The touch pad keys 101 are similar to keyboard keys.

Some aspects of this invention may capture or access the timing ofcertain keystrokes as one exemplary data element, or as acharacteristic. Examples given below would be for a sequence of typingthe keys such as ABC (which could also be for example 123), and anotherexample referencing the typing of keys BCD (which could also be forexample 234). However, it will be appreciated that the typing of any keysequence may be utilized depending upon the data, and the comparisonswhere authentication may be sought. It will also be appreciated by thoseof ordinary skill in the art that any one of a different number of keysmay be included within the sequence to arrive at data to be utilized inaspects of this invention. For example, in the illustration shown inFIG. 1, a key stroke sequence may be established for different keys orbuttons on the ATM machine, which may represent a common sequence,personal identification number (PIN) or other commonly typed keys byusers whose financial transaction is being authenticated. Anysub-combination, reverse combination or shorter or longer combinationsmay also be utilized.

It will also be appreciated by those of ordinary skill in the art thatbecause embodiments of this invention have so many differentapplications, the term data as used herein may constitute a multitude ofdifferent measurements, characteristics, timings or any other elementthat can be measured or used to distinguish different individual users,different users within identified demographics and different demographicgroups, to name a few.

FIG. 2 is a perspective view of a user utilizing an exemplary touchscreen on an ATM. 100, which is an X-Y device based electronictransaction input device. FIG. 2 shows user's hand 103, keypad keys 101,auxiliary keys 102, X-Y device or touch screen 104, which may be an X-Ydevice requiring some movement or it may require movement more like akeyboard.

The touch screen such as item 104 in FIG. 2 may be pressure sensitive orpressure monitoring and monitor the pressure at which the touch screenis used, which may therefore constitute part or all of the electronicsignature for the electronic transaction. Alternatively it could beinputted from the screen of a PDA device (another example of a possibleX-Y device) with a pen or stylus, which then records and transmits thesignature, wherein the signature not only contained the physicalsignature of the user, but this could be combined with any one of anumber of different other signature aspects, such as pressure, etc. onthe X-Y device.

The touch screen 104 in FIG. 3 may also be like an electronic signaturescreen wherein a stylus or pen is utilized to create an on screenelectronic signature. The signature itself would then be part of anoverall electronic identification, and may be combined with the timingof the movement of the stylus or pen, or the pressure at different partsof the signature. The signature combined with one or more of the otheror additional identifiers (pressure, movement, timing of movements,etc.) may then constitute a composite signature or identifier toauthenticate the user or person inputting to the financial transaction.

FIG. 3 is a block diagram of an exemplary data processing apparatus 140.FIG. 3 illustrates that communications interface 141 is arranged toimplement communications of computing device 140 with respect toexternal devices not shown. For example, communications interface 141may be arranged to communicate information bi-directionally with respectto computing device 140. Communications interface 141 may be implementedas a network interface card (NIC), serial or parallel connection, USBport, FireWire interface, flash memory interface, floppy disc drive, orany other suitable arrangement for communicating with respect tocomputing device 140.

In one embodiment, processing circuitry is arranged to process data,control data access and storage, issue commands, and control otherdesired operations. Processing circuitry 142 may comprise circuitryconfigured to implement desired programming provided by appropriatemedia in at least one embodiment. For example, the processing circuitry142 may be implemented as one or more of a processor and/or otherstructure configured to execute executable instructions including, forexample, software and/or firmware instructions, and/or hardwarecircuitry. Exemplary embodiments of processing circuitry include gloomhardware logic, PGA, FPGA, ASIC, state machines, and/or other structuresalone or in combination with a processor. The storage circuitry 143 isconfigured to store programming such as executable code or instructions(e.g., software and/or firmware), electronic data, databases, or otherdigital information and may include processor-usable media.Processor-usable media may be embodied in any computer program,product(s), or article of manufacture(s) which can contain, store, ormaintain programming, data and/or digital information for use by or inconnection with an instruction execution system including processingcircuitry in the exemplary embodiment. For example, exemplaryprocessor-usable media may include any one of physical media such aselectronic, magnetic, optical, electromagnetic, infrared or semiconductor media. Some more specific examples of processor-usable mediainclude, but are not limited to, a portable magnetic computer diskette,such as a floppy diskette, zip disk, hard drive, random access memory,read only memory, flash memory, cache memory, and/or otherconfigurations capable of storing programming, data, or other digitalinformation.

At least some embodiments or aspects described herein may be implementedusing programming stored within appropriate storage circuitry 143described above and/or communicated via a network or other transmissionmedia and configured to control appropriate processing circuitry 142.For example, programming may be provided via appropriate mediaincluding, for example, embodied within articles of manufacture,embodied within a data signal (e.g. modulated carrier wave, datapackets, digital representations, etc.) communicated via an appropriatetransmission medium, such as a communication network (e.g. the Internetand/or a private network), a wired in electrical connection, opticalconnection and/or electromagnetic energy, for example, via acommunications interface 141, or provided using other appropriatecommunication structure or medium. Exemplary programming includingprocessor-usable code may be communicated as a data signal embodied in acarrier wave in but one example.

User interface 144 is configured to interact with a user includingconveying data to a user (e.g., displaying data for observation by theuser, audibly communicating data to a user, etc.) as well as receivinginput from the user (e.g., tactile input, voice instruction, etc.).Accordingly, in one exemplary embodiment, the user interface may includea display 145 (e.g., cathode ray tube, LCD, etc.) configured to detectvisual information as well as a keyboard, mouse, touch pad, and/or otherinput device 146. Any other suitable apparatus for interacting with auser may also be utilized, including three-dimensional interfaces whichinstead of merely being on an X-Y plane may include three dimensions,namely X, Y and Z.

It will be understood that when components, apparatus, appliance,functions, steps or elements of this invention need to be or may beimplemented on a data processing apparatus as a whole, or any individualcomponent thereof described herein, that the apparatus or any individualcomponent as described herein may be utilized within the contemplationof this invention. For instance if a flowchart as described belowexpressly or implicitly requires for example that a processor or storagefor example be utilized, the applicable components described herein withrespect to FIG. 3 may be so utilized even if not specifically recitedfor that step.

FIG. 4 is a exemplary flowchart illustrating one embodiment of thisinvention, wherein a sequence of logical steps are shown which may beemployed to define and store the behaviormetrics to be recorded andstored for a particular input device of any type. FIG. 4 illustrates anembodiment of a process flow of the method for defining thebehaviormetrics of the input devices associated with an electronictransaction. The system queries 201 the device to determine the type ofdevice such as keyboard 202, keypad 203 or touch screen 204. Thebehaviormetrics 206 as allowed by the input device are defined andentered 205. The threshold limits to designate an imposter for thebehaviormetrics of the device 207 are entered. The behaviormetrics forsuch device is then stored 208 to be monitored for the device in thedevice database 209.

FIG. 5 is an exemplary flowchart illustrating an embodiment of thisinvention, wherein the sequence of logical steps may be employed tomonitor and store the behaviormetrics of a user for a specified inputdevice. FIG. 5 illustrates the process flow for determining the user'sbehaviormetric signature for associated input devices. The systemregisters the user 210 into the user database 211. The system queries212 the input device 213-215 at the input terminal. The user enters 216a user-defined code 217 which is unique to the user. The code can be achosen PIN or social security or password, etc. The system records 218the behaviormetrics registered in the device database 219 for the deviceunder question with respect to the user inputting the code. The systemcalculates 220 the user probability table and the global probabilitytable based on the behaviormetric inputs. The system stores 221 the userprobability table as the user behaviormetric signature into the userdatabase 211 and stores the updated global probability table into theuser database.

FIGS. 6 & 7 are exemplary flowcharts illustrating an embodiment of thisinvention, wherein the sequence of logical steps employed to configure asystem to compare a current user against an archived user, store thetransactions, notify the proper sentries when a discrepancy occurs andtake corrective actions.

FIG. 6 illustrates the process flow for configuring the securitysentries, the means for contacting the sentries and the correctiveactions regarding a discrepancy in user identification. The sentry isentered into the system 222, and then the means to contact the sentryare entered 223. The means to contact the sentry can be email, textmessaging, telephone, paging, etc 224. The system queries the registeredusers 225 from the user database 226 to be identified on the network ordevice. The users are grouped 227, and the sentry is assigned to thegroup 228 to be the users under the sentry's auspices. Once the sentryis configured, the system stores the sentry information 229 into thesentry database 230. Any alert messages 231 and any corrective actions232 for the sentry or sentries to execute are entered into the system.For example, actions to execute could be physically observing the useror turning on a camera to observe the user. Any executable correctiveactions for the system to execute are entered 233 as ancillary actionsfor the sentry. System actions, for example, could include logging theuser out of the system and preventing re-entry. The system stores 234all alert messages, sentry corrective actions and executable correctiveactions associated with a sentry or sentries into the sentry database230.

FIG. 7 illustrates the process flow for authenticating the users'identities through behaviormetrics, rejecting or allowing the electronictransaction, and alerting the security sentries in case of adiscrepancy. The user enters 235 their unique code at the transactionterminal. The system holds 239 the transaction 240 until authorization.The behaviormetrics for the input device 236-238 associated with thetransaction terminal are recorded 241. The system queries 242 thearchived user 243 behaviormetrics for such a device and matches thebehaviormetric profile of the active transaction to the storedbehaviormetric profile 244. If the match is within a pre-definedthreshold 245, the system authorizes the transaction 246 and stores 247the transaction event in the transaction database 248 with the matchinginformation.

If on the other hand the match is outside of a pre-defined threshold,the system rejects the authorization 249 and either requests anadditional factor of authentication 250 or denies further electronictransactions by that purported authorized user-until some otherauthentication or action is taken. Additional factors can be the usershowing their identification, other biometric devices such asfingerprint scans or user identified cards such as credit cards. If theadditional factor of authentication authorizes 251 the transactionsystem continues with authorizing the transaction 246. If the additionalfactor or identifier of authentication fails, the system queries 252 thesecurity sentry database 257 for the sentries and actions associatedwith a non-authorization event. The system sends 253 messages 254 to thesentries and executes any actions 255. The system stores thenon-authorization event 256 into the sentry database 257 beforecontinuing on to store the transaction event 247 into the transactiondatabase 248.

The system executing any actions 255 in response to the failure of theadditional identifier or factor, may include placing a hold that thatuser's account, sending an alarm to the system operator, causing an ATMto retain the card (if applicable), or any one of a number of differentexecutions depending on the embodiment of the invention.

FIG. 8 is a graphic representation of one embodiment of a probabilitydistribution representation 400 for keystroke timings or dynamics of auser, User A, typing keystrokes ABC, sometimes referred to as a trigramsince three keys are included. Even though there are three keys beingidentified as data or a characteristic for a given application, anyother type of measurement, type or combination of measurements may betaken to quantify that characteristic, and then utilized to distinguishand authorize the user possessing those characteristics from theremainder of the wide population or global population from which it isdesired to distinguish the authorized user. Item 401 is the numeral oneand indicates that the probability goes from zero represented by item406, to the number one represented by item 401, as will be appreciatedby those of ordinary skill in the art, on a statistical modeling basis.The probability 403 is graphed in the Y direction and the time 404 inthis aspect or embodiment of the invention is measured in milliseconds.The graphic representation shows the time 404 going from zero, which isrepresented by item 406, to 5000 milliseconds represented by item 407.

FIG. 8 also illustrates how a couple of units of data may be comparedagainst the user profile or probability distribution representation 400.For instance if data 411 is obtained at the millisecond levelrepresented by 414, it may be expected that User A would show a value atthe intersection represented by 409. However the data 411 is locatedsome distance below intersection 409. The distance 412 from data 411 tointersection 409 is represented by bracket 412 and the distance 413between data 411 and intersection 414 is represented by bracket 413. Inthis example a visual check on the location of data 411 at themilliseconds represented by intersection 414, would indicate it is moreprobable than not that the data point represents User A. It will beappreciated by those of ordinary skill in the art that depending uponthe probabilities and the sensitivity and scaling of the probabilitydistribution representation, a greater or lesser distance may or may notbe indicative that it is more probable that the purported authorizeduser is in fact the authorized user, namely User A.

It will be appreciated by those of ordinary skill in the art that forillustrative purposes, graphical representations of the probabilitydistribution representations are shown in the figures; however, any typeof representation thereof may be utilized within the contemplation ofthis invention, such as graphical representations, database or otherdata structure representations, or any nongraphical representations ofthe probability distribution, with no one in particular being requiredto practice this invention.

In a second example in FIG. 8, data 415 is shown with intersection 416indicating the number of milliseconds, and intersection 417 indicatingthe intersection with the user profile or trigram for User A. Distance418 from intersection 417 and distance 419 from intersection 416 wouldbe utilized in any one of a number of different ways to calculate aprobability that data 415 is indicative of use by the authorized user,namely User A.

It will also be appreciated by those of ordinary skill in the art thatthe representation shown in FIG. 8 need not be limited to keyboarddynamics, but may also include an X-Y dynamic related to the speed atwhich a user moves the X-Y device, such as mouse speed from point A topoint B.

FIG. 8 represents one aspect of an embodiment of this invention whereina trigram or three key keystroke is utilized to pattern or fingerprintUser A, which can be one measurement taken of User A, or it could be anaveraging or other statistical representation of two or moremeasurements blended together to arrive at curve 405 in FIG. 8, up tosome very high number of measurements scaled to present one probabilitydistribution representation. FIG. 8 shows a narrow band of occurrencesin milliseconds relative to probability, making User A relativelydistinctive from a wide population sampling or from the globalprobability distribution representation. In embodiments of thisinvention, the area 409 under curve 405 should also be one based uponprobability distribution representation analysis. The curve 405 is afirst constant that gives a continuous basis upon which to compare newdata or data on curve 405, to a global trigram such as the globaltrigram set forth in FIG. 10 for the ABC keystroke combination.

Since many features are recorded for keystroke dynamics, the probabilitydistribution representations can be used to determine moredistinguishing features of a user. Those of ordinary skill in the artwill appreciate that the same or similar features may be recorded forX-Y device dynamics. In turn, the distinguishing features can be used toconstruct a biased scoring system to authenticate the user. FIGS. 8-11illustrate the graphs of the probability distribution representationsconstructed from the data in Tables 2 and 4. FIG. 8 is the graph for theUser A probability distribution representation for the trigram ABC andFIG. 9 is the graph for the User A probability distributionrepresentation for the trigram BCD. FIG. 10 is the graph for the globalprobability distribution representation for the trigram ABC and FIG. 11is the graph for the global probability distribution representation forthe trigram BCD.

Overlaying the graphs between the user and the global user base for eachtrigram, FIGS. 12 and 13, and calculating the difference in area 470 and471 respectively, between the curves, which is the hashed area betweenthe graphs, the ABC trigram user probability distribution representationshows a larger deviation from the global or wide population probabilitydistribution representation. Therefore, the ABC trigram is a moredistinguishing feature for the user. Total difference in area under theUser A and the global probability curves for the ABC trigram is 1.1,while the total difference in area for the BCD trigram is 0.20.Normalizing these values produces a weighting vector for calculating thefinal posterior probability. The weighting vector is 0.85 and 0.15 forthe ABC and BCD trigrams respectively, yielding a final posteriorprobability given by equation 1.Posterior_(final Posterior)_(final)=(0.85*Posterior_(ABC))+(0.15*Posterior_(BCD))  (1)

The total posterior calculated for determining the likelihood that auser is User A is now biased towards the posterior probability returnedfrom the ABC trigram measurement. An impostor or purported authorizeduser will more likely fall in the global likelihood and the calculatedtotal posterior will reflect a strengthened likelihood the impostor willbe detected as such. The weights attributed to the features of thetrigram measurements can also be used in constructions of neuralnetworks, support vector machines and boosting algorithms to furtherstrengthen the bias of the more distinguishable features of anindividual.

FIG. 9 is a graphic representation of one embodiment of a probabilitydistribution representation for keystroke timings of a user typingkeystrokes BCD. The graphical item numbers, item descriptions and thedescriptions of the graph format, the X and Y parameters andmeasurements, is recited above with respect to FIG. 8, and all likeitems are numbered accordingly and a description thereof will not berepeated here to avoid repetition. FIG. 9 is a graphic representation ofUser A typing a keystroke combination of BCD, a trigram, which providesa table of a similar graphic representation, but a very different curvethan that shown for User A for the ABC trigram in FIG. 8. The curveillustrated in FIG. 9 is very different than the curve illustrated inFIG. 8 for the same user, namely User A. the area 423 under curve 421 inprobability distribution representation 420 should be one. Curve 421peaks at 421 a.

FIG. 10 is a graphic representation of one embodiment of a probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing keystrokes ABC. The graphical itemnumbers, item descriptions and the descriptions of the graph format, theX and Y parameters and measurements, is recited above with respect toFIG. 8, and all like items are numbered accordingly and a descriptionthereof will not be repeated here to avoid repetition.

FIG. 10 illustrates a wide population first characteristic probabilitydistribution representation, in this example, a global ABC trigramprobability distribution representation, which also may be referred toas a histogram or a bar chart. FIG. 10 shows curve 441 with curve peak441 a, area 443 under curve 441 on probability distributionrepresentation 440 illustrates the probabilities of timing of the widepopulation.

It will be appreciated by those of ordinary skill in the art that theselection of the first characteristic upon which to take data for, orthe second third or later characteristics, will be something thatgreatly depends upon the facts and circumstances of the application,readily available data, readily available measurements and numerousother factors, all within the contemplation of this invention. The widepopulation characteristic probability distribution representationconstruction provides a very scalable method of taking data inquantities that can be determined from the circumstances, including hugenumbers of data points, to construct a probability distributionrepresentation or histogram against which to compare characteristics ordata of individuals. In some applications the wide population data orcharacteristic can comprise the probability distribution representationprofile table or graph, and in others it may represent data frommultiple, numerous or a multitude of persons (such as within ademographic or within a broader universe).

FIG. 11 is a graphic representation of one embodiment of a probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing the keystrokes BCD. The graphical itemnumbers, item descriptions and the descriptions of the graph format, theX and Y parameters and measurements, is recited above with respect toFIG. 8, and all like items are numbered accordingly and a descriptionthereof will not be repeated here to avoid repetition.

FIG. 11 represents a probability distribution representation 460 for thewide population data for the keystroke BCD combination or trigram, witharea 463 under curve 461. Similar to the global or wide populationprobability distribution representation in FIG. 10, the probabilitydistribution representation 460 in FIG. 11 may be that of numerous datapoints from one individual, or from a wide population of numerousindividuals, depending upon the application and the distinction desired.

FIG. 12 is a graphic representation of one embodiment of a probabilitydistribution representation for a user typing the keystrokes ABCillustrated in FIG. 8, overlaid on the embodiment of the probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing keystrokes ABC illustrated in FIG. 10. Thegraphical item numbers, item descriptions and the descriptions of thegraph format, the X and Y parameters and measurements, is recited abovewith respect to FIG. 8, and all like items are numbered accordingly anda description thereof will not be repeated here to avoid repetition.Again, neither a graphical representation nor an overlay is required topractice this invention, but is shown in FIGS. 12 and 13 forillustrative purposes.

FIG. 12 illustrates some of the numerous possibilities for use of theprobability distribution representations or histograms as may beutilized by the embodiment of this invention. The probabilitydistribution representation illustrated in FIG. 12 is an overlay of theprobability distribution representation in FIG. 8 of User A typing ABCtrigram, onto the global ABC trigram illustrated in FIG. 10, showingdramatic distinctions or uniqueness between User A from the rest of thepopulation, indicating this may be a more accurate characteristic ordata point upon which to distinguish User A from the general populationand authenticate the keystrokes of User A. Curve 405 is the User A curveprofile on probability distribution representation, and curve 441 is theglobal or wide population curve for the keystrokes ABC. The area 470between curve 405 and curve 441 provides a larger area upon which todistinguish or compare a given data point placed therein to the User Acurve versus the wide population curve 441.

FIG. 13 is a graphic representation of one embodiment of a probabilitydistribution representation for a user typing the keystrokes BCDillustrated in FIG. 9, overlaid on the embodiment of the probabilitydistribution representation for keystroke timings of a wide populationdemographic user group typing keystrokes BCD illustrated in FIG. 11. Thegraphical item numbers, item descriptions and the descriptions of thegraph format, the X and Y parameters and measurements, is recited abovewith respect to FIG. 8, and all like items are numbered accordingly anda description thereof will not be repeated here to avoid repetition.

In a similar manner to FIG. 12, FIG. 13 is an overlay of the User A BCDtrigram, which is User A typing a sequence of keys on a keyboard, namelykeys B, C, and D, as represented by curve 421. Curve 461 is the widepopulation curve illustrated in FIG. 11 of the same keystrokes, namelykeystrokes BCD. From comparing curve 421 to curve 461 in FIG. 13, it isapparent that User A is very similar to the wide population curve 461and in comparing the results of the overlay shown in FIG. 13 to that inFIG. 12, it becomes very apparent that in choosing the bestcharacteristic of this set to use to distinguish User A from the generalpopulation is keystroke combination ABC and not the keystrokecombination BCD.

FIG. 14 is an example of a flowchart of an embodiment of this inventionillustrating one possible sequence for constructing a biased scoringsystem using a characteristic data of an authorized user. FIG. 14illustrates the process flow to construct weights for the featurescaptured by keystroke dynamics. The system includes start 500, aretrieval of user probability distribution representation 501 from theprobability distribution representations 502 for data, characteristicsor identifying features for a user or an authorized user. The systemretrieves the 503 global probability distribution representations 502for each feature recorded for the global user base. The probabilitycurve of the user is compared to the global probability curve and avalue is calculated 504 for each feature based on the difference theuser probability curve deviates from the global probability curve. Thevalues may be normalized 505 to construct a weighting vector for the setof features recorded for keystroke dynamics. The values from thenormalization are stored 506 with the probability distributionrepresentations for each feature recorded for the user.

Other aspects of this invention utilize a behaviormetric basedauthorization system or method which may utilize a unique unitizedidentifier, or identifier unit, which includes at least onebehaviormetric, which is shown schematically in FIG. 15. An identifierunit may include one or more typical identifiers, such as (withoutlimitation): possession of a money card, debit card or credit card;knowledge of a password; knowledge of a PIN; knowledge of a useridentification or other identifier. One or more of these traditionalidentifiers may now be combined in embodiments of this invention withone or more behaviormetrics, to comprise in combination, an identifierunit. Additionally utilizing one or more behaviormetrics is morecomparable to an in-person transaction at a vendor whereinidentification such as a driver's license is required to be shown tofurther identify the purported authorized user. It will however be notedthat the use of behaviormetrics as described in this invention may alsobe utilized for person to person transactions as well as additionalsecurity.

This additional identifier has not heretobefore been readily orsufficiently available for transactions, including those transactions inwhich there is not a personal or person to person interaction with thepurported authorized user. While embodiments of this invention maytherefore provide for an electronic transaction to be authorized by acombined identifier system which includes at least one behaviormetriccombined with one or more traditional identifiers, it will beappreciated that it may also be combined with face to faceidentification systems or methods as well, all within the contemplationof this invention.

FIG. 15 therefore schematically shows an identifier unit 550 with firstidentifier 551, second identifier 552 and third identifier 553, whereinthe first identifier may be a traditional identifier, the thirdidentifier 553 a behaviormetric of the purported authorized user, andthe second identifier may be either of the two. It will be noted thatany one or more traditional identifiers and any one or morebehaviormetric identifiers may be utilized within the contemplation ofthis invention. This identifier unit 550 may be referred to as asignature unit, a signature packet, an identification packet, afingerprint unit or a composite identification unit as it provides amore unique identification combination or composition than traditionalways of identifying a purported authorized user of an electronictransaction system.

The identifier unit 550 or packet may then analyzed right at the inputdevice or may be transmitted to a centralized transaction authorizationcenter by any one of known means and wherein the units may be analyzedto determine a probability that the purported authorized user is in factthe authorized user, and then approve or disapprove the transactionbased on the comparings.

It will also be noted that other behaviormetrics, without limitation,which may be utilized in embodiments or applications of this invention,may include: finger angles on a touch screen; finger width; appliedpressure on a touch screen or key pad; finger roll or other movement ona touch screen; the use of finger nails during the entry process; fingerwidth; and others, all within the contemplation of this invention.

It will be noted that because a probability distribution reference or awide population probability distribution reference are utilized, andonly one comparison needs to be made to that probability distributionreference with characteristic data of users, the speed of the comparingwill not be diminished as a result of adding new data to train orfurther comprise the probability distribution reference. This featuremakes embodiments of this invention very scalable and potentially on anear unlimited basis, without decreasing the speed of the comparings.Due to the nature of the wide population probability distributionreference, a very large number of new data points for a characteristicmay be added to the global or wide population probability distributionreference without decreasing the speed because only one comparison needsto be made to test new or ongoing data against the wide populationprobability distribution reference on an ongoing or real-time basis.These additions or new data points for addition or integration intoprobability distribution references or wide population probabilitydistribution references will be stored in storage circuitry. The speedof the updated probability distribution references will compare at theapproximate same speed as the probability distribution references beforebeing updated because a comparison is still being made against one suchprobability distribution reference, albeit an updated one with more datasupport.

As will be appreciated by those of reasonable skill in the art, thereare numerous embodiments to this invention, and variations of elements,steps and system components which may be used, all within the scope ofthis invention.

One embodiment of this invention for example is a behaviormetrics basedelectronic transaction authorization method, comprising: accessing datafrom an authorized user of an electronic transaction system; using thedata to create a first characteristic probability distributionrepresentation indicative of a behaviormetric of the authorized user;accessing new data from a purported authorized user of the electronictransaction system; comparing the new data to the first characteristicprobability distribution representation for the authorized user; anddetermining a probability that the purported authorized user of theelectronic transaction system is the authorized user based on thecomparing.

A further embodiment of that disclosed in the preceding paragraph mayfurther comprise: accessing the data from the authorized user; using thedata to create a second characteristic probability distributionrepresentation indicative of the authorized user of the electronictransaction system; accessing the new data from a purported authorizeduser; comparing the new data of the purported authorized user to thesecond characteristic probability distribution representation for theauthorized user; and determining a probability that the purportedauthorized user is the authorized user based on the comparing of the newdata to the first characteristic probability distribution representationand to the second characteristic probability distribution representationfor the authorized user. A still further embodiment of that disclosed inthe preceding paragraph may integrate updated data into the firstcharacteristic probability distribution reference without increasingtime required for comparing the new data of the purported authorizeduser to the first characteristic probability distribution representationfor the authorized user. A further embodiment may also provide providinga wide population first characteristic probability distributionrepresentation indicative of the first characteristic of a widepopulation; comparing the new data of the purported authorized user tothe first characteristic probability distribution representation for theauthorized user and to the wide population first characteristicprobability distribution representation; and determining a probabilitythat the purported authorized user is the authorized user based on thecomparing; and/or further integrate updated data into the widepopulation first characteristic probability distribution referencewithout increasing time required for comparing the new data of thepurported authorized user to the first characteristic probabilitydistribution representation for the authorized user and to the widepopulation first characteristic probability distribution representation.Some of these embodiments may further determine the probability that thepurported authorized user is the authorized user through the applicationof Bayes Rule to the new data, the first characteristic probabilitydistribution representation for the authorized user, and the widepopulation first characteristic probability distribution representation.

It will be appreciated that embodiments of this invention may beutilized in combination with electronic financial transaction devices ofall kinds, including without limitation: wherein the data is one of akeypad dynamic and an X-Y device dynamic; wherein the X-Y device dynamicis a touch screen dynamic; wherein the data comprises an electronicidentifier comprised of both a known data entry identifier andbehaviormetric data; wherein the known data entry identifier is one of auser password and a user personal identifier; and/or wherein thebehaviormetric data is one of a keypad dynamic and an X-Y devicedynamic.

It will also be appreciated that embodiments of this invention mayrequire further identifiers of the authorized user if the determining ofthe probability that the purported authorized user of the electronictransaction system yields a negative indication based on the comparing.

In a method embodiment of this invention, a behaviormetrics based methodfor determining a more probable authentication method for authorizingelectronic transactions may be provided, comprising: accessing data froman authorized user of an electronic transaction system; using the datato create a first characteristic probability distribution representationindicative of a first behaviormetric of the authorized user; using thedata to create a second characteristic probability distributionrepresentation indicative of a second behaviormetric of the authorizeduser; providing a wide population first characteristic probabilitydistribution representation indicative of the first characteristic of awide population; providing a wide population second characteristicprobability distribution representation indicative of the secondcharacteristic of a wide population; comparing the first characteristicprobability distribution representation indicative of the authorizeduser to the wide population first characteristic probabilitydistribution representation indicative of the first characteristic of awide population; comparing the second characteristic probabilitydistribution representation indicative of the authorized user to thewide population second characteristic probability distributionrepresentation indicative of the second characteristic of a widepopulation; determining which of the comparings yields a more probablecharacteristic for authenticating the authorized user from the widepopulation.

In a further embodiment of the method described in the precedingparagraph, a behaviormetrics based method for determining a moreprobable authentication method for authorizing electronic transactionsmay be provided which further comprises: accessing new data from apurported authorized user; comparing the new data of the purportedauthorized to probability distribution representations of the moreprobable characteristic for authenticating the authorized user from thewide population; further wherein the first characteristic probabilitydistribution representation indicative of the authorized user iscomprised of one of a keyboard dynamic and an X-Y device dynamic; and/orfurther wherein the X-Y device dynamic is one of a mouse input and atouchpad dynamic.

In yet another embodiment of the invention, a financial transactionidentifier unit is provided for use in authorizing financialtransactions, the identifier unit comprising: a unique physicalidentifier; and a behaviormetric identifier of a purported authorizeduser.

In a related embodiment of the invention, a behaviormetrics basedelectronic transaction authorization method is provided, comprising:accessing an identifier unit from a purported authorized user of anelectronic transaction system, the identifier unit comprising a uniquephysical identifier; and a behaviormetric identifier of a purportedauthorized user; verifying that the unique physical identifier isauthorized; comparing the behaviormetric identifier to a correspondingbehaviormetric probability distribution representation indicative of abehaviormetric of the authorized user; and determining a probabilitythat the purported authorized user of the electronic transaction systemis the authorized user based on the comparing. It will be noted that theidentifier unit referred to herein may include one or more uniquephysical identifiers and one or more behaviormetric identifiers relativeto that authorized user.

In compliance with the statute, the invention has been described inlanguage more or less specific as to structural and methodical features.It is to be understood, however, that the invention is not limited tothe specific features shown and described, since the means hereindisclosed comprise preferred forms of putting the invention into effect.The invention is, therefore, claimed in any of its forms ormodifications within the proper scope of the appended claimsappropriately interpreted in accordance with the doctrine ofequivalents.

1. A behaviormetrics based electronic transaction authorization method,comprising: accessing data from an authorized user of an electronictransaction system; using the data to create a first characteristicprobability distribution representation indicative of a behaviormetricof the authorized user; accessing new data from a purported authorizeduser of the electronic transaction system; comparing the new data to thefirst characteristic probability distribution representation for theauthorized user; and determining a probability that the purportedauthorized user of the electronic transaction system is the authorizeduser based on the comparing.
 2. A behaviormetrics based electronictransaction authorization method as recited in claim 1, and furthercomprising: accessing the data from the authorized user; using the datato create a second characteristic probability distributionrepresentation indicative of the authorized user of the electronictransaction system; accessing the new data from a purported authorizeduser; comparing the new data of the purported authorized user to thesecond characteristic probability distribution representation for theauthorized user; and determining a probability that the purportedauthorized user is the authorized user based on the comparing of the newdata to the first characteristic probability distribution representationand to the second characteristic probability distribution representationfor the authorized user.
 3. A behaviormetrics based electronictransaction authorization method as recited in claim 1, and furtherintegrating updated data into the first characteristic probabilitydistribution reference without increasing time required for comparingthe new data of the purported authorized user to the firstcharacteristic probability distribution representation for theauthorized user.
 4. A behaviormetrics based electronic transactionauthorization method as recited in claim 1, and further comprising:providing a wide population first characteristic probabilitydistribution representation indicative of the first characteristic of awide population; comparing the new data of the purported authorized userto the first characteristic probability distribution representation forthe authorized user and to the wide population first characteristicprobability distribution representation; and determining a probabilitythat the purported authorized user is the authorized user based on thecomparing.
 5. A behaviormetrics based electronic transactionauthorization method as recited in claim 4, and further integratingupdated data into the wide population first characteristic probabilitydistribution reference without increasing time required for comparingthe new data of the purported authorized user to the firstcharacteristic probability distribution representation for theauthorized user and to the wide population first characteristicprobability distribution representation.
 6. A behaviormetrics basedelectronic transaction authorization method as recited in claim 4, andfurther wherein determining the probability that the purportedauthorized user is the authorized user through the application of BayesRule to the new data, the first characteristic probability distributionrepresentation for the authorized user, and the wide population firstcharacteristic probability distribution representation.
 7. Abehaviormetrics based electronic transaction authorization method asrecited in claim 4, and further wherein determining the probability thatthe purported authorized user is the authorized user is one of apositive and a negative indication.
 8. A behaviormetrics basedelectronic transaction authorization method as recited in claim 1, andfurther wherein the data is one of a keypad dynamic and an X-Y devicedynamic.
 9. A behaviormetrics based electronic transaction authorizationmethod as recited in claim 8, and further wherein the X-Y device dynamicis a touch screen dynamic.
 10. A behaviormetrics based electronictransaction authorization method as recited in claim 1, and furtherwherein the data comprises an electronic identifier comprised of both aknown data entry identifier and behaviormetric data.
 11. Abehaviormetrics based electronic transaction authorization method asrecited in claim 10, and further wherein the known data entry identifieris one of a user password and a user personal identifier.
 12. Abehaviormetrics based electronic transaction authorization method asrecited in claim 10, and further wherein the behaviormetric data is oneof a keypad dynamic and an X-Y device dynamic.
 13. A behaviormetricsbased electronic transaction authorization method as recited in claim 1,and further comprising requiring further identifiers of the authorizeduser if the determining of the probability that the purported authorizeduser of the electronic transaction system yields a negative indicationbased on the comparing.
 14. A behaviormetrics based method fordetermining a more probable authentication method for authorizingelectronic transactions, comprising: accessing data from an authorizeduser of an electronic transaction system; using the data to create afirst characteristic probability distribution representation indicativeof a first behaviormetric of the authorized user; using the data tocreate a second characteristic probability distribution representationindicative of a second behaviormetric of the authorized user; providinga wide population first characteristic probability distributionrepresentation indicative of the first characteristic of a widepopulation; providing a wide population second characteristicprobability distribution representation indicative of the secondcharacteristic of a wide population; comparing the first characteristicprobability distribution representation indicative of the authorizeduser to the wide population first characteristic probabilitydistribution representation indicative of the first characteristic of awide population; comparing the second characteristic probabilitydistribution representation indicative of the authorized user to thewide population second characteristic probability distributionrepresentation indicative of the second characteristic of a widepopulation; determining which of the comparings yields a more probablecharacteristic for authenticating the authorized user from the widepopulation.
 15. A behaviormetrics based method for determining a moreprobable authentication method for authorizing electronic transactions,as recited in claim 14, and further comprising: accessing new data froma purported authorized user; comparing the new data of the purportedauthorized to probability distribution representations of the moreprobable characteristic for authenticating the authorized user from thewide population.
 16. A behaviormetrics based method for determining amore probable authentication method for authorizing electronictransactions, as recited in claim 14, and further wherein the firstcharacteristic probability distribution representation indicative of theauthorized user is comprised of one of a keyboard dynamic and an X-Ydevice dynamic.
 17. A behaviormetrics based method for determining amore probable authentication method for authorizing electronictransactions, as recited in claim 15, and further wherein the X-Y devicedynamic is one of a mouse input and a touchpad dynamic.
 18. A financialtransaction identifier unit for use in authorizing financialtransactions, the identifier unit comprising: a unique physicalidentifier; and a behaviormetric identifier of a purported authorizeduser.
 19. A behaviormetrics based electronic transaction authorizationmethod, comprising: accessing an identifier unit from a purportedauthorized user of an electronic transaction system, the identifier unitcomprising a unique physical identifier; and a behaviormetric identifierof a purported authorized user; verifying that the unique physicalidentifier is authorized; comparing the behaviormetric identifier to acorresponding behaviormetric probability distribution representationindicative of a behaviormetric of the authorized user; and determining aprobability that the purported authorized user of the electronictransaction system is the authorized user based on the comparing.